This blog is a personal book on Security/ IDM related thoughts/opinions.
The blog posts are a personal opinion only and neither reflect the views of current/past employers nor any OTHER person living/dead on this planet.

Google Site Search

Enter your search termsSubmit search form

Web

jboss.org

anil-identity.blogspot.com

Saturday, June 30, 2007

I am back after a trip to San Francisco to lead JBoss/Red Hat at the Oasis XACML Interoperability Event at the Burton Catalyst Conference. It was a tremendous successful culmination of almost 2 months of effort by 8 vendors (BEA, IBM, JBoss/Red Hat, Oracle, CA, Jericho Systems, SymLabs and Securent) to interoperate. The whole exercise was a great way to detect bugs/issues in the various products. The collaboration between the vendors was done with courtesy and zero-finger-pointing. There was never a feeling between us that we are competitors in many domains.

During the interop demo, users from various companies were pleasantly surprised that something like XACML standard existed to help solve their access control nightmares.

I got to meet Tony Nadalin from IBM again. Same goes with Hal Lockhart of BEA Systems. I wanted to meet Prateek Mishra from Oracle and I did. I also got to chat with Rich Levinson from Oracle, Sempo from Symlabs and Shekhar Sarrukkai from Securent. At the end of the event, I was fortunate to meet Gerry Gebel, VP, Identity and Privacy Strategies, Burton Group who was the individual who had sent me an invitation in March to check for participation.

If you need additional information, you can always contact me at ( anil DOT saldhana AT redhat DOT com).

I can vouch that this event raised a lot of eye brows in the industry because my blog post on xacml interop was perused consistently ever since it was published and it was a top hit on any google search, given that it was the only blog posting any details about the event. This basically demonstrates the interest in the community about xacml.

On my part, I will be releasing a beta version of JBoss XACML v2.0 (first beta and then the GA version) in the next 30 days. You will be able to use the lgpl licensed library in any Java Application. If you need a fancy GUI tool to go with it, I would invite you to contribute one. :) Why am I planning on a v2.0 straight away? The answer lies in the version of Oasis XACML Spec that it will support.

Monday, June 25, 2007

I was fortunate to make a presentation at the W3C Workshop on E-Government and the Web (June 18-19, 2007) to an audience that included Sir Tim Berners-Lee, technical representatives from Library of Congress, Other US Governmental Agencies, some UK Policy Makers (and technical representatives).

Three key points I stressed were:a) Make E-Government Services secure for the Average Joe to use. It should be a collective effort from technologies, policies, processes and the people.b) Let all the E-Government services be reachable from single point of contact (Portals) that may be favorite to various cross-sections of people. If I live in Chicago, the IL State Portal can be the window of entry to all E-Government services.c) Use of Federated Identity standards that are being developed including OpenID (in the blogosphere), SAML and WS-Federation. This will enable identity to be transmitted across the various e-gov services.

José Manuel Alonso, W3C eGovernment Lead was telling me that at the previous eGovernment Workshop that was held in Spain, many of the government representatives had shared a concern that many of the European nations had issued National ID cards and brought out a lot of eServices, that were used sparingly. Hence he liked my paper which stressed on the need for a single point of entry via a portal. This will actually build some trust context.

Initially prior to the Workshop, it was my desire to shake Sir.Tim's hands. But I got to sit beside him for 2-3 hours during the workshop (I hope some of the brilliance got transmitted to me - I can feel it). At the end of the first day of the workshop, I did discuss with Tim (he insisted on not calling him SIR. Tim), as to whether the current world of Phishing, online scams etc were not something he had envisioned when he invented WWW. I also asked him if security issues keep him awake at night. He said security is necessary (PGP, SSL etc) but he does not have sleepless nights. :)

Wednesday, June 13, 2007

It is probably 2 weeks left for the Oasis Interoperability Event at the Burton Catalyst Conference. I have already met Tony and Hal. I am hoping to meet Bill, Anne, Seth, Rich, Prateek, Anil (Securent), Dennis and others on the XACML TC.

Here is a summary I pulled for the interop exercise.Abbreviations: PEP stands for Policy Enforcement Point and PDP stands for Policy Decision Point.

Here is a description of the interop: Two Use Cases each with potential multiple scenarios

Use Case: Authorization Decision========================

The Authorization Decision Interop will demonstrate that XACML 2.0 authorization decision requests generated by the */PEP/* of */Vendor A/* (*/PEP-A/*) are properly evaluated by the */PDP/* of */Vendor B /*(*/PDP-B/*), where Vendor A and Vendor B may be any of the vendors participating in the Interop.

Scenario 1: Authorization Decision: Customer AccessCustomer from a web browser provides user name and password. After authentication, the PEP packages the customer username, customerId and an operation of "ViewAccount" in the context of the CustomerAccount web application in a xacml request and passes to a PDP for evaluation. The PDP can be from different vendors in the event.

Scenario 2: Authorization Decision: Customer TransactionCustomer tries to purchase 500 shates of XYZ stock. The PEP gathers information on the transaction (namely, operation of "Buy" and the number of shares "500") and creates a xacml request with other contextual information and passes it to a PDP for evaluation. The PDP can be from different vendors in the event.

Scenario 3: Authorization Decision: Account Manager AccessAn account manager needs to approve a request. The PEP gathers information about the account manager and passes to a PDP to evaluate access to the account manager.

Scenario 4: Authorization Decision: Account Manager ApprovalAccount Manager needs to approve the stock purchase. The PEP gathers information about the Account Managers approval and then asks the PDP to evaluate whether the approval should go through.

Use Case: Policy Exchange===================XACML Policies generated by one vendor are accessible and usable by the PDP of other vendors.

Friday, June 8, 2007

As a regular user of government services over the internet, I thought it was my duty to submit my thoughts to the workshop on e-government and the web hosted under the auspices of the W3C. The paper has been accepted and will be part of a discussion as highlighted here:http://www.w3.org/2007/06/eGov-dc/agenda

On 18th, there is a key note by Tim Berners-Lee. I am sure I will shake his hands. By inventing WWW, he has indirectly placed bread on my table as well as made this blog entry possible. :)

Fun will be when Tim attends my presentation. It will be on the next day, the 19th.

Friday, June 1, 2007

As part of the XACML Interoperability preparations, I wrote client code that uses SAAJ 1.3 to build a soap message and send it across to any endpoint that supports scenario 1 of the interoperability process. I basically pass an endpoint url to this set of program code and I get a soap response from the end point, which when processed yield a xacml decision.

Basically, I was able to call the end-points of BEA,IBM, JBoss/RedHat,Oracle, Securent and Jericho Systems with the same piece of client code and the same SOAP request (which internally contains the XACMLAuthDecisionQuery Node) and get a PERMIT decision, irrespective of the implementation details of the XACML implementation at each of these endpoints.

I would like to salute standards that make interoperability a reality. The same salute goes to the faucet makers, who follow standards and who came to my rescue when the hand sprayer from the kitchen tap at my house snapped. All I had to do was, go to Home Depot and buy a generic one.